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-Abstract- 

Several quantum process algebras have been proposed and successfully applied in verification of 
quantum cryptographic protocols. All of the bisimulations proposed so far for quantum processes 
in these process algebras are state-based, implying that they only compare individual quantum 
states, but not a combination of them. This paper remedies this problem by introducing a novel 
notion of distribution-based bisimulation for quantum processes. We further propose an approx¬ 
imate version of this bisimulation that enables us to prove more sophisticated security properties 
of quantum protocols which cannot be verihed using the previous bisimulations. In particular, 
we prove that the quantum key distribution protocol BB84 is sound and (asymptotically) secure 
against the intercept-resend attacks by showing that the BB84 protocol, when executed with 
such an attacker concurrently, is approximately bisimilar to an ideal protocol, whose soundness 
and security are obviously guaranteed, with at most an exponentially decreasing gap. 
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[T] Introduction 

Quantum cryptography can provide unconditional security; it allows the realisation of 
cryptographic tasks that are proven or conjectured to be impossible in classical cryptography. 
The security of quantum cryptographic protocols is mathematically provable, based on the 
principles of quantum mechanics, without imposing any restrictions on the computational 
capacity of attackers. The proof is, however, often notoriously difficult, which is evidenced 
by the 50 pages long security proof of the quantum key distribution protocol BB84 |20| . 
It is hard to imagine such an analysis being carried out for more sophisticated quantum 
protocols. Thus, techniques for (semi-)automated verification of quantum protocols will 
be indispensable, given that quantum communication systems are already commercially 
available. 

Process algebra has been successfully applied in the verification of classical (non-quantum) 
cryptographic protocols One key step for such a process algebraic approach is a 

suitable notion of bisimulation which has appropriate distinguishing power and is preserved by 
various process constructs. Intuitively, two systems are bisimilar if and only if each observable 
action of one of them can be simulated by the other by performing the same observable action 
(possibly preceded and/or followed by some unobservable internal actions), and furthermore. 
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the resultant systems are again bisimilar. To verify a cryptographic protocol, we first give a 
specification which is an ideal protocol with obvious correctness and security, and then show 
that the given protocol is bisimilar (or approximately bisimilar with a small perturbation) to 
the specification. 

In the last 10 years, several quantum process algebras like CQP m, QPAig m and 
qCCS m have been introduced, which provide an intuitive but rigorous way to model 
and reason about quantum communication systems. In particular, they have been adopted 
in verification of several popular quantum communication protocols such as Teleportation, 
Superdense Coding, etc. Similar to the classical case, the notion of bisimulation is crucial in the 
process algebra-based verification of quantum protocols. Actually, several different versions of 
bisimulation have been proposed for quantum processes in the recent literature dH 1231121 El E]- 
A key feature of all of them is that they are state-based in the sense that they only compare 
individual configurations but not a combination of them. More explicitly, they are defined to 
be relations over configurations which are pairs of a quantum process and a density operator 
describing the state of environment quantum systems. However, when distributions of 
configurations are considered (which is inevitable for protocols where randomness is employed 
or quantum measurement is involved), state-based bisimulations are too discriminative 
- they distinguish some distributions which will never be distinguished by any outside 
observers, thereby providing the potential attacker of a cryptographic protocol with unrealistic 
power. As an extreme example, a state-based bisimulation distinguishes the distribution 
p(nil, p) -1- (1 — p)(nil, a) from the single configuration (nil,pp + (1 — p)cr) ii p a, where 
nil is the dead process incapable of performing any action. 

In this paper, we propose a novel bisimulation for quantum processes which is defined 
directly on distributions of quantum configurations. Compared with existing bisimulations 
in the literature, our definition is strictly coarser (in particular, equates the two distributions 
presented above) and takes into account the combination of accompanied quantum states. 
We further define a pseudo-metric to characterise the extent to which two quantum processes 
are bisimilar. Note that we only consider quantum processes written in qCCS, but the main 
results can be generalised to other quantum process algebras like CQP and QPAlg easily. 

To illustrate the utility of distribution-based bisimulation and the pseudo-metric in 
verification of quantum cryptographic protocols, we analyse the soundness and security of 
the well-known BB84 quantum key distribution protocol |3- For the soundness, we show 
that when executed alone (without the presence of an attacker), BB84 is bisimilar to an 
ideal protocol which always returns a uniformly distributed (conditioning on a given key 
size) key. For the security analysis, we prove that when BB84 is executed concurrently with 
an intercept-resend attacker, the whole system is approximately bisimilar, with at most an 
exponentially decreasing gap, to an ideal protocol which never reports failure or information 
leakage. To the best of our knowledge, this is the first time (a weak notion of) security of 
BB84 is formally described and verified in the quantum process algebra approach. 

Related works. The problem of existing bisimulations, as pointed out in the third 
paragraph of this section, was also noted by Kubota et al. m- To deal with it, they 
adopted two different semantics for quantum measurements. When a measurement induces 
a probability distribution in which all configurations have the same observable actions, it 
is represented semantically as a super-operator obtained by discarding the measurement 
outcome (thus no probabilistic branching is produced, and all post-measurement quantum 
states are merged). Otherwise, the measurement has the same semantics as in the original 
qCCS. This treatment solves the problem when probabilistic behaviours are only induced by 
quantum measurements. However, it does not work when probabilistic choice is included 
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in the syntax level, as we do in describing BB84 protocol in this paper. Furthermore, it 
brings difficulty in deciding the right semantics of a quantum process where a measurement 
is involved, as determining if the observable actions of the post-measurement configurations 
are all the same might not be easy; sometimes it even depends on the later input from the 
environment. In this paper, we solve this problem by revising the definition of bisimulation, 
instead of the definition of semantics. 

In the same paper im, Kubota et al. applied qCCS (with the semantic modification 
mentioned above) to show the security of BB84. They proved that BB84 is bisimilar to an 
EDP-based protocol, following the proof of Shor and Preskill m- However, this should 
not be regarded as a complete security proof, as it relies on the security of the EDP-based 
protocol. In contrast, our approach shows the security of BB84 directly. Note that for this 
purpose, a notion of approximate bisimulation, which was not presented in m , is necessary, 
as BB84 is secure only in the sense that the eavesdropper’s information about the secure key 
obtained by the legitimate parties is arbitrarily small (but still can be strictly positive) when 
the number of qubits transmitted (called the security parameter) goes to infinity. 

Software tools based on the quantum process algebra CQP have been developed in |2] 
and [5] to check the equivalence between quantum sequential programs as well as concurrent 
protocols. These tools were applied to verify the correctness of protocols like Teleportation, 
Bit Elip Error Correction Code, and Quantum Secret Sharing. However, verification of 
security properties in cryptographic protocols such as BB84 has not been reported yet. 

Besides the process algebra approach, model-checking is another promising approach 
for verification of quantum cryptographic protocols. Eor example, by observing the fact 
that the quantum states appearing in BB84, when only intercept-resend eavesdroppers are 
considered, are all the so-called stabiliser states which can be efficiently encoded in a classical 
way, Nagarajan et al. [H] analysed the security of BB84 by using the probabilistic model 
checker PRISM [TB]. 

Preliminaries 

In this section we review the model of probabilistic labelled transition systems (pLTSs) and 
the notion of lifted relations. Later on we will interpret the behaviour of quantum processes 
in terms of pLTSs. 


2.1 Probabilistic labelled transition systems 

A (finite-support) probability distribution over a set S' is a function /i : S —[0,1] with 
/i(s) > 0 for finitely many s G S and ~ support of such a /i is the set 

\p] = {s G S I /i(s) >0}. The point distribution s assigns probability 1 to s and 0 to 
all other elements of S, so that [s] = {s}. We use D{S) to denote the set of probability 
distributions over S, ranged over by p,, v etc. If — 1 for some collection of Pi > 0, 

and Pi G D{S), then ' Pi ^ D{S) is a combined probability distribution with 

^^i^iPi ■ Pi)i^) — J2i^iPi ■ Pi{s)- We always assume the index set / to be finite. 

► Definition 1. A probabilistic labelled transition system (pLTS) is a triple (S, Act ,—>), 
where S is a set of states, Act is a set of transition labels with a special element r included, 
and the transition relation —> is a subset of S' x Act x D(S). 
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2.2 Lifting relations 

In a pLTS actions are only performed by states, in that they are given by relations from 
states to distributions. But in general we allow distributions over states to perform an action. 
For this purpose, we lift these relations to distributions 13 E]. 

► Definition 2 (Lifting). Let TZ C S x D{S) be a relation. The lifted relation, denoted by TZ 
again for simplicity, is the smallest relation TZ C D{S) x D{S) that satisfies 

1. sTZiy implies sTZv, and 

2. (Linearity) fJ.^^Zlyi for i e / implies Pi ’ Pi ^ 1] 

= 1 - 

We apply this operation to the relations -E in a pLTS for a € Act. Thus as source of a 
relation -E we also allow distributions. But s -E /r is more general than s -E /r, because 
if s -E fi then there is a collection of distributions /ii and probabilities pi such that s -E pi 
for each i G I and p = J2i^iPi ' Pi with J^i^iPi — we allow different transitions 

to be combined together, provided that they have the same source s and the same label a. 

Sometimes we also need to lift a relation on states, say a state-based bisimulation, to 
distributions. This can be done by the following two steps. Let TZ C S x S he such 
a relation. First, it induces a relation TZ C S x D{S) between states and distributions: 
iZ := {{s,t) I sTZt}. Then we can use Definitionto lift Iz to distributions. Note that when 
TZ is an equivalence relation over S, the lifted relation over D(S) coincides with the lifting 

defined in Ca¬ 
in Definition]^ linearity tells us how to compare two linear combinations of distributions. 
Sometimes we need a dual notion of decomposition. Intuitively, if a relation TZ is left- 
decomposable and pTZv, then for any decomposition of p there exists some corresponding 
decomposition of v. 

► Definition 3 (Left-decomposable). A binary relation over distributions, TZ C D{S) x D{S), 
is called left-decomposable if (Eie/K ’ Pi)'^^ implies that u can be written as (J^i^iPi ’ ^i) 
such that piTZvi for every i G I. 

The next lemma shows that any lifted relation is left-decomposable. 

► Lemma 4 ([6j). For any TZ C S x D{S) or S x S, the lifted relation over distributions is 
left-decomposable. 

With the help of lifted relations, we are now able to define various (weak) transitions 
between distributions for a pLTS. 

► Definition 5. Given a pLTS (S', Act,—>■), we define the following transitions over distri¬ 
butions: 

1. —E. Let s —^ /i if either s —^ p or fi = s, and lift it to distributions; 

2. -E for cxf^T. Let s -E ^ if g —and lift it to distributions; 

3. =^. Let = {—^)* be the reflexive and transitive closure of 

4. for a ^ T. Let For point distributions, we often write s v 

instead of s ly. 

Note that here is not a lifted transition. However, the next lemma shows that it is 
still both linear and left-decomposable. 

► Lemma 6 ([6j). The transition relations are both linear and left-decomposable. 
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r3~| qCCS: Syntax and Semantics 

In this section, we review the syntax and semantics of qCCS, a quantum extension of 
value-passing CCS introduced in dUEZ], and a notion of state-based bisimulation for qCCS 
processes presented in [S]. We assume the readers are familiar with the basic notions in 
quantum information theory; for those who are not, please refer to m- 

3.1 Syntax 

We assume three types of data in qCCS: Bool for booleans, real numbers Real for classical 
data, and qubits Qbt for quantum data. Let cVar, ranged over by x, y,..., be the set of 
classical variables, and qVar, ranged over by q,r,..., the set of quantum variables. It is 
assumed that cVar and qVar are both countably infinite. We assume a set Exp, which 
includes cVar as a subset and is ranged over by e, e',. ■ • > of classical expressions over Real, 
and a set of boolean-valued expressions BExp, ranged over by b,b',..., with the usual set of 
boolean operators tt, ff, A, V, and —>■. In particular, we let e ixi e' be a boolean expression 
for any e,e' G Exp and [xiG {>,<,>,<,=}• We further assume that only classical variables 
can occur free in data expressions and boolean expressions. Let cChan be the set of classical 
channel names, ranged over by c, d,..., and qChan the set of quantum channel names, ranged 
over by c, d,.... Let Chan = cChanU qChan. A relabeling function / is a one-to-one function 
from Chan to Chan such that f{cChan) C cChan and f (qChan) C qChan. 

We often abbreviate the indexed set {gi, ...,(/„} to y when qi,... ,qn are distinct quantum 
variables and the dimension n is understood. Sometimes we also use q to denote the string 
<71 ... qn. We assume a set of process constant schemes, ranged over hy A, B,. ... Assigned to 
each process constant scheme A there are two non-negative integers ardA) and arq(A). If x 
is a tuple of classical variables with \x\ = arc{A), and q a tuple of distinct quantum variables 
with Idl = arq{A), then A{x,q) is called a process constant. When ardA) = arq{A) = 0, we 
also denote by A the (unique) process constant produced by A. 

The syntax of qCCS terms can be given by the Backus-Naur form as 

t ::= nil | A{e, q) \ a.t \ t + t \ t\\t \ t\L \ t[f] \ if b then t 

a ::= r | clx \ c!e | clq \ c!g | £[q] \ M[q-,x\ 

where c G cChan, x G cVar, c G qChan, q G qVar, q C qVar, e G Exp, e C Exp, t is the 
silent action, A is a process constant scheme, / is a relabeling function, L C Chan, b G BExp, 
£ and M are respectively a super-operator and a quantum measurement applying on the 
Hilbert space associated with the systems q. 

To exclude quantum processes which are not physically implementable, we also require 
q ^ qv{t) in dq.t and qv{t) C qv{u) = 0 in t\\u, where for a process term t, qv{t) is the 
set of its free quantum variables which are not bound by quantum input clq. The notion 
of free classical variables in quantum processes can be defined in the usual way with the 
only modification that the quantum measurement prefix M[g; x] has binding power on x. A 
quantum process term t is closed if it contains no free classical variables, i.e., fv{t) = 0. We 
let T, ranged over by t, m, • • •, be the set of all qCCS terms, and V, ranged over hy P,Q, - ■ ■, 
the set of closed terms. To complete the definition of qCCS syntax, we assume that for 
each process constant A{x,q), there is a defining equation A{x,q) := t where fv(t) C x and 
qv{t) C q. Throughout the paper we implicitly assume the convention that process terms are 
identified up to a-conversion. 

The process constructs we give here are quite similar to those in classical CCS, and 
they also have similar intuitive meanings: nil stands for a process which does not perform 
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any action; clx and c!e are respectively classical input and classical output, while clq and 
c!q are their quantum counterparts. £[q\ denotes the action of performing the quantum 
operation £ on the qubits q while M[q; x\ measures the qubits q according to M and stores 
the measurement outcome into the classical variable x. + models nondeterministic choice: 
t u behaves like either t or u depending on the choice of the environment. || denotes 
the usual parallel composition. The operators \L and [/] model restriction and relabeling, 
respectively: t\L behaves like t but any action through the channels in L is forbidden, and 
t[f] behaves like t where each channel name is replaced by its image under the relabeling 
function /. Finally, if b then t is the standard conditional choice where t can be executed 
only if b evaluates to tt. 

An evaluation ip is a function from cVar to Real; it can be extended in an obvious way 
to functions from Exp to Real and from BExp to {tt,ff}, and finally, from T to V. For 
simplicity, we still use ip to denote these extensions. Let ip{v/x} be the evaluation which 
differs from ip only in that it maps x to v. 

3.2 Transitional semantics 

For each quantum variable q € qVar, we assume a 2-dimensional Hilbert space 'Hq to be the 
state space of the g-system. For any V C qVar, we denote Hv — In particular, 

H = 'HqVar is the state space of the whole environment consisting of all the quantum variables. 
Note that H is a countably-infinite dimensional Hilbert space. For any V C qVar we denote 
by V the complement set of V in qVar. 

Suppose P is a closed quantum process. A pair of the form (P, p) is called a configuration, 
where p € 'D{'H) is a density operator on PQ The set of configurations is denoted by Con, 
and ranged over hy C . Let 

Act = {r} U {civ, civ \ c G cChan, v G Real} U {c?r, c!r | c S qChan, r G qVar}. 

For each a G Act, we define the bound quantum variables qbv{a) of a as qbv{clr) = {rj and 
qbv{a) = 0 if a is not a quantum input. The channel names used in action a is denoted by 
cn{a); that is, cn{clv) = cn(c!v) = {c}, cn{clr) = cn(c!r) = {cj, and cn(r) = 0. We also 
extend the relabelling function to Act in an obvious way. Then the transitional semantics 
of qCCS can be given by a pLTS {Con, Act, —>), where —> C Con x Act x D{Con) is the 
smallest relation satisfying the inference rules depicted in Fig. The symmetric forms for 
rules Par, Come, Corng, and Sum are omitted. We abuse the notation slightly by writing 
C vac V. We also use the obvious extension of the function || on configurations 
to distributions. To be precise. Up — Pi) then p\\Q denotes the distribution 

J2i^iPi{^i\\Q^ Pi)- Similar extension applies to p[f] and p\L. 

3.3 State-based bisimulation 

In this subsection, we recall the basic definitions and properties of the state-based bisimulation 
introduced in [B]. Let C = {P, p) be a configuration and £ a super-operator. We denote 
qv{C) = qv{P), env(C) = trq^(p)(p) being the quantum environment of process P in C, and 
£{C) = {P,£{p)). Furthermore, for distribution p = J^iPi^i with Pi > 0 for each i, we write 
qv{p) = [jiqv{C,), env(p) = X)^Pi ' env(Ci), and £(p) = X)^P^^(^i)■ Por any V C qVar, 
denote by SO{'Hv) the set of super-operators on 'Hy 


^ As "H is infinite dimensional, p should be understood as a density operator on some finite dimensional 
subspace of % which contains 'Hqv{p)‘ 
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Figure 1 Transitional semantics of qCCS 


► Definition 7. A relation TZ C Con x Con is closed under super-operator application if 

CTZV implies £{C)TZ£{'D) for all £ e ^^i‘^ qv(c)uqv(v) ^■ generally, a relation TZ C 

D{Con) X D{Con) is closed under super-operator application if ^TZv implies £{^)TZ£{v) for 
all £ e 

► Definition 8. 1. A symmetric relation TZ C Con x Con is called a state-based ground 

bisimulation if CTZ'D implies that 

(i) qv{C) — qv{'D), and env(C) = env([D), 

(ii) whenever C g,, there exists p such that TT v and fCJZv. 

2. A relation 7?. is a state-based bisimulation if it is a state-based ground bisimulation, and 
is closed under super-operator application. 

3. Two quantum configurations C and T) are state-based bisimilar, denoted by C V, if 
there exists a state-based bisimulation TZ such that CTZ'D] 

4. Two quantum process terms t and u are state-based bisimilar, denoted by t u, if for 
any quantum state p € D{Ti) and any evaluation ip, {tip,p) {w>PiP)- 

Note that in Clause l.(ii) of the above definition, pTZv means p and v are related by the 
relation lifted from TZ. The following theorem is taken from [^. 

► Theorem 9. 1. The bisimilarity relation ~g is the largest state-based bisimulation on 

Con, and it is an equivalence relation. 

2. As a lifted relation on D{Con), is both linear and left-decomp os able. 

Distribution-based bisimulation 

Note that in [H], it has already been shown by examples that state-based bisimulation is 
sometimes too discriminative for probabilistic automata. These examples certainly work for 
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quantum processes as well. Furthermore, as the following example indicates, the problem 
becomes more serious in the quantum setting, as the accompanied quantum states can and 
should be combined when simulating each other. 

► Example 10. Let M = Ao|0)(0| + Ai|l)(l| be a two-outcome measurement according 

to the computational basis, and £ a super-operator with the Kraus operators being |0)(0| 
and |1)(1|. Let p be a density operator on and C := (M[g; xj.nil, |-|-)q(-t-| (S) p) and 

V := (£[( 7 ]. nil, |-l-) 5 (-l-| 0 p) be two configurations where |-|-) = (|0) -I- |l))/-\/2. Note that in 
the process M[q-, xj.nil, the measurement outcome is never used (as x ^ /w(nil)), while the 
effect of £ [q] is exactly measuring the system q according to M, but ignoring the measurement 
outcome. Thus we definitely would like to regard C and 2A as being bisimilai]^ 

However, we can show that C Let Cq = (nil, |0)q(0| 0 p), Ci — (nil, |1)5(1| <8) p), 

Cl = (nil, Jg/2 (g) p), and p. = ^Cq -I- |Ci. Then obviously p Cj, as otherwise by the 
left-decompositivity of we must have both Cq ~s C/ and Ci Wg Cj, which is impossible. 

Actually, the argument in Example |10| applies to any bisimulation which is state-based: 
by Lemma ^ any bisimilation between distributions which is lifted from configurations is 
left-decomposable, hence discriminating C and V. Therefore, to make these two obviously 
indistinguishable configurations bisimilar, we have to define bisimulation relation directly on 
distributions, rather than on configurations and then lift it to distributions. 

For this purpose, we extend the distribution-based bisimulation introduced in [3] to our 
quantum setting. A distribution p is said to be transition consistent, if for any C G |"/i] 
and a ^ T, C i>c for some vq implies p v for some v, i.e., all configurations in its 
support have the same set of enabled visible actions (possibly after some invisible transitions). 
Furthermore, a decomposition p = ’ Mo Pi > 0 for each i G I, is a tc-decomposition 

of p if for each i G I, pi is transition consistent. 

► Definition 11. 1. A symmetric relation TZ C D{Con) x D{Con) is called a (distribution- 

based) ground bisimulation if for any p,!^ G D(Con), pTZv implies that 

(i) qv{p) = qv{v), and env(/i) = env(o), 

(ii) whenever p ^ there exists v' such that v v' and p'TZv', 

(iii) if p is not transition consistent, and p = J2i^iPi ■ Pi is a tc-decomposition, then 
n J2ieiPi ■ ^i such that for each i, p{IZvi. 

2. A relation 7?. is a (distribution-based) bisimulation if it is a ground bisimulation, and is 

closed under super-operator application. 

In contrast with Definition [^1, the above definition has an additional requirement Clause 
l.(iii). This clause is crucial for distribution-based bisimulation, as the transition p —^ p' in 
Clause l.(ii) is possible only when p is transition consistent for a. That is, all configurations 
in the support of p can perform weak a-transition. For those actions for which p is not 
transition consistent, we must first split p into transition consistent components, and then 
compare them with the corresponding components of i' individually. 

The bisimilarity « for quantum configurations and for quantum process terms are defined 
similarly as in the state-based case. The next theorem collects some useful properties of the 
distribution-based bisimilarity. 


^ Note that C and T> would be regarded as ‘semantically identical’ in m, instead of ‘(distribution-based) 
bisimilar’ as we do in this paper, since the semantics of M[q-,x] in this case is represented as £[q\ by 
definition. 
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► Theorem 12. 1. The bisimilarity relation « is the largest bisimulation on D(Con), and 
it is an equivalence relation. 

2. « is linear, but not left-decomposable. 


A direct consequence of Theorem is a deciding algorithm for the bisimilarity between 
recursion-free quantum configurations, which is sufficient for most practical quantum crypto¬ 
graphic protocols. First, as pointed out in HD], any recursion-free quantum processes can be 
modified to be free of quantum input, so that the bisimilarity between them can be verified 
by only examining the ground bisimulation. Second, it has been proved in m Lemma 1] 
that every linear bisimulation TZ corresponds to a matrix E, so that two distributions /i and 
V are related by TZ if and only if (/r — iy)E = 0, where distributions are seen as vectors. As 
our ground bisimulation for quantum processes is indeed linear, the algorithm presented 
in mi, with slight changes, can be used to decide it. For the sake of space limit, we omit the 
details here, and refer interested readers to [T^ . 

To conclude this section, we would like to show that our distribution-based bisimulation 
is weaker than its state-based counterpart presented in Definition 


► Theorem 13. Let fJ.,v G D(Con). Then p. k, a ^ implies p ^ v, 
necessarily imply p «s In particular, we have in Example 10 that p 


but p K, V does not 
« Cl and C ^ V. 


I 5 I Bisimulation metric 

In the previous section, only exact bisimulation is presented where two quantum processes 
are either bisimilar or non-bisimilar. Obviously, such a bisimulation cannot capture the 
idea that a quantum process approximately implements its specification. To measure the 
behavioural distance between processes, the notion of approximate bisimulation and the 
bisimulation distance for qCCS processes were introduced in m- This section is devoted to 
extending this approximate bisimulation to distribution-based case. Note that approximate 
bisimulation has been investigated in probabilistic process algebra and probabilistic labelled 
transition systems in the context of security analysis 

Recall that the trace distance of p, cr G is defined to be d{p, a) = \\\p — crjltr where 

II • Ijtr denotes the trace norm. We have the following definition. 

► Definition 14. Given A G [0,1], a symmetric relation TZ over D{Con) which is closed under 
super-operator application is a A-bisimulation if for any pTZv, we have 

1. qv{p) = qv{v), and d(env(p,),env(z/)) < A, 

2. whenever p p', there exists v' such that v v' and p'TZv', 

3. if p is not transition consistent, and p = • Pi is a tc-decomposition, then 

^ ^ such that P* > 1 - A. 

By induction, we can show easily that p —^ p' can be replaced by p p' in Clause (2). 

The approximate bisimilarity « for quantum configurations and for quantum process terms 
are defined similarly as in the exact bisimulation case. Furthermore, we define the bisimulation 

distance between distributions as db{p, v) = inf{A > 0 | p « and the bisimulation distance 

between process terms as db{t,u) = inf{A > 0 | V'0 and p G T’('H), {tfj,p) ^ {u'ijj,p)}. Here 
we assume that inf 0 = 1. The next theorem shows that db is indeed a pseudo-metric with « 
being its kernel. 

► Theorem 15. 1. The bisimulation distance db is a pseudo-metric on D{Con). 

2. For any p, G D{Con), p^iv if and only if db{p,v) = 0. 
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An illustrative example 

For the ease of notations, we extend the syntax of qCCS a little bit by allowing probabilistic 
choice in the syntax leveQ that is, we assume ^ ^ whenever U G T and Pi > 0 

for each i G I with Pi = 1- We further extend the transitional semantics in Fig. [^by 
adding the following transition rule: 

Dist - - -. 

p) —^ T,i(^IP^{ti^p) 

We also introduce the syntax sugar if b then t else u to be the abbreviation of if b then t + 
if ^b then u. 

BB84, the first quantum key distribution protocol developed by Bennett and Brassard in 
1984 |3], provides a provably secure way to create a private key between two parties, say, 
Alice and Bob, with the help of a classical authenticated channel and a quantum insecure 
channel between them. Its security relies on the basic property of quantum mechanics that 
information gain about a quantum state is only possible at the expense of changing the 
state, if all the possible states are not orthogonal. The basic BB84 protocol with security 
parameter n goes as follows: 

(1) Alice randomly generates two strings Ba and Ka of bits, each with size n. 

(2) Alice prepares a string of qubits q, with size n, such that the Ah qubit of q is \xy) where 

X and y are the Ah bits of Ba and Ka, respectively, and |Oo) = |0), |0i) = |1), |lo) = |+), 
and |li) = |-). Here |+) := (|0) + \l))/V2 and |-) := (|0) - |l))/\/2. 

(3) Alice sends the qubit string q to Bob. 

(4) Bob randomly generates a string of bits B}, with size n. 

(5) Bob measures each qubit received from Alice according to a basis determined by the bits 

he generated: if the Ah bit of Bb is k then he measures with {|fco), |fci)}, fc = 0,1. Let 

the measurement results be Kb, again a string of bits with size n. 

(6) Bob sends his measurement bases Bb back to Alice, and upon receiving the information, 
Alice sends her bases Ba to Bob. 

(7) Alice and Bob determine at which positions the bit strings Ba and Bb are equal. They 
discard the bits in Ka and Kb where the corresponding bits of Ba and Bb do not match. 

After the execution of the basic BB84 protocol above, the remaining bits of Ka and Kb, 
denoted by K'a and AT^ respectively, should be the same, provided that the channels used are 
perfect, and no eavesdropper exists. 

To detect a potential eavesdropper Eve, Alice and Bob proceed as follows: 

(8) Alice randomly chooses |’|.A^|/2] bits of K'a, denoted by K'a, and sends to Bob K'a and 
its indexes in K'a- 

(9) Upon receiving the information from Alice, Bob sends back to Alice his substring AT^' of 
K'f^ at the indexes received from Alice. 

(10) Alice and Bob check if the strings AT" and K'b are equal. If yes, then the remaining 
substring K^ (resp. kI) of K'a (resp. .A() by deleting K'^ (resp. K'fl) is the secure key 
shared by Alice (reps. Bob). Otherwise, an eavesdropper (or too much noise in the 
channels) is detected, and the protocol halts without generating any secure keys. 


^ Note that this extension will not change the expressive power of qCCS and all the results obtained in 
this paper, as probabilistic choices can be simulated by quantum measurements preceded by appropriate 
quantum state preparation. 
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For simplicity, we omit the processes of information reconciliation and privacy amplifica¬ 
tion. Now we describe the basic BB84 protocol [Steps (l)-(7)] in qCCS as follows. 

Alice{n) := ^ ^Setj^Jq].HgJq].A2B\q.WaitA{Ba,Ka) 


WaitA{Ba, Ka) 

Bob{n) 


b2alBb-a2b\Ba.keyJcmp{Ka, Ba, Bb).nil 

A2B?g. ^ ^Mg^[f,Kb\.SetQ[q].b2a\Bb.WaitBiBb,Kb) 

Bbe{o,i}^ 


WaitB{Bb,kb) 
BB84 (n) 


a2blBa-keyb\cmp{kb, Ba, i?b).nil 
Alice{n)\\Bob{'n) 


where Setp^ [g] sets the ith qubit of q to the state \ka{i)), Hg [g] applies H or does nothing 
on the ith qubit of q depending on whether the ith bit of Ba is 1 or 0, and Mg^[q; Kb] is the 
quantum measurement on q according to the bases determined by Bb, i.e., for each 1 < i < n, 
it measures qi with respect to the basis {|0), |1)} (resp. {|-|-), |—)}) if Bb{i) = 0 (resp. 1), 
and stores the result into Kb{i). The function cmp takes a triple of bit-strings x, y, z with 
the same size as inputs, and returns the substring of x where the corresponding bits of y 
and z match. When y and z match nowhere, we let cmp(x, y, z) = e, the empty string. We 
add the operation Set^lq] in Bob{n) for technical reasons: it makes the ideal specifications 
defined below simple. 

To show the correctness of basic BB84 protocol, we first put BB84 {n) in a test environment 
defined as follows 


Test := keya4!ka.keyb"!kbM ka = kb then keylka-nil else faillO.nil 
BB84test{n) ■■= {BB84{n)\\Test)\{a2b,b2a,A2B,keya,keyb} 


For the ideal specification of BB84test{n), we would like it to satisfy the following three 
conditions: (1) it is correct, in the sense that it will never perform faillO; (2) the generated 
key X with \x\ = * is uniformly distributed for each i < n. That is, for any x with |a;| = i, 
Pr(a: is the key obtained | key-length = i) = 1/2®; (3) The length of the obtained key follows 
the unbiased binomial distribution. That is, for each i < n, Pr(key-length = i) = (/')/2". 
Thus we can let 

BB84spec{n) := X! X! ^;^iSeto[q].keylx.ni[. 

i=0 $G{0,1}® 


It is tedious but routine to check that BB84test{n) ~ BB84spedk) for any n. 

Now we proceed to describe the protocol that detects potential eavesdroppers [Steps 
(I)-(IO)]. Let 


Alice'(n) 


Bob'(n) 
BB84'{n) 


\x\—k 

{Alice{n)\\keyalk'a. 



a2b\x.a2b\SubStr{k'a, x).b2a7K'f. 


(if SubStr{k'a, x) = K'f then keyARernStr{K'a,x).'ni\))\{keya} 
{Bob{n)\\keybTk'f^-a2blx.a2blK'f .b2a\SubStr{K'^, x). 

(if SubStr{K'ja,x) = K” then keyb\RemStr{k'f,, x).nil))\{keyb} 
Alice' {n)\\Bob' {n) 


where m = \k'a\ and k = ["m/2], the function SubStr{K'a,x) returns the substring of K'a at 
the indexes specified by x, and RemStr{K'a,x) returns the remaining substring of iF' by 
deleting SubStr{K'a,x). 
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To get a taste of the security of BB84 protocol, we consider a special case where Eve’s 
strategy is to simply measure the qubits sent by Alice, according to randomly guessed bases, 
to get the keys and resend these qubits to Bob. That is, we define 

Eve{n) := ME!q. ^ .Ae]./cey'!Xe-E2B!g.nil 

Bee{o,i}" 

Again, we put BB84'{n) in a test environment, but now the environment includes the 
presence of Eve: 

Test' := key'llx.key'i^ly.key'llz.{if x ^ y then faillO.nil 

else (if X = z then /lacfcedlO.nil)) 

BB84{.^^t{n) := {Alice {n)[fa]\\Bob'{n)[fb]\\Eve{n)\\Test')\L 

where L = {a26,62a, A2E, E2B, key'^, key'^}, /q(A2B) = A2E, and /(,(A2B) = E2B. 

Now, to show the security of BBSdj^it suffices to prove the following property: 

BB84't^,t{n) w 5'efg[g].nil (1) 

where c = 1/2 + \/3/4 < 1. Thus S'etQ[g].nil) < c". That is, the testing 

system is just like a protocol which only sets the quantum qubits q to |0)(0|. As the process 
S'etQ[g].nil never performs faillO or hackedlO, this indicates that the insecurity degree of BB84 
is at most c”, which decreases exponentially to 0 when n tends to infinity. 

To show Eq. 0> take arbitrarily p G T>{'H), and let C = {BB84'test{''^)i p) and V = 
(S'etg[g].nil,p). Basically, we only need to compute the total probability of C eventually 
performing fail\Q or hackedlO. The reason is, they are the only visible actions of C {V does 
not perform any visible action at all), and also the only actions which contribute to possible 
transition inconsistency of distributions obtained from C. If the total probability of their 
appearance is upper bounded by c", then C and T> are c"-bisimilar. 

For each qubit sent by Alice, Eve chooses the wrong basis with probability 1/2, and in 
this case if Bob measures this qubit according to the correct basis he will get an incorrect 
result with probability 1/2. Thus for each qubit that Bob guesses the correct basis, the 
probability that Alice and Bob get different key bits is 1/4. Furthermore, for each i-length 
raw key generated by the basic BB84, Alice and Bob will compare i/2 key bits during the 
eavesdropper-detection phase. The probability that they fail to detect the eavesdropper is 
then (3/4)®/^. Note that only when the eavesdropper is not detected, the protocol proceeds. 
Hence the probability of observing faiUO or hackedlO is upper bounded by 

i=0 xG{0,l}' i-0 ^ ' 


7 I Conclusion and Future work 

In this paper, we have proposed a novel notion of distribution-based bisimulation for quantum 
processes in qCCS. In contrast with previous bisimulations introduced in the literature, our 


^ Here we adopt a weak notion of security: by secure we mean the eavesdropper ends up with a false key 
string. A stronger and more practical notion of security should take into account the mutual information 
between the keys held by the legitimate parties and the eavesdropper. We leave the analysis of BB84 
with respect to this notion of security for future work. 
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definition is reasonably weaker in that it equates some intuitively bisimilar processes which 
are not bisimilar according to the previous definitions, thus is more useful in applications. 
We further defined a bisimulation distance to characterise the extent to which two processes 
are bisimilar. As an application, we applied the notions of distribution-based bisimulation 
and bisimulation distance to show that the quantum key distribution protocol BB84 is sound 
and secure against the intercept-resend attacker. To the best of our knowledge, this is the 
first time in the literature that the (asymptotic) security of BB84 has been analysed in the 
framework of a quantum process algebra. 

There are still many questions remaining for further study. Firstly, as pointed out in 
Section 6, the notion of security we adopted for the analysis of BB84 is a rather weak one. In 
quantum information field, people normally use the mutual information between the states 
held by legitimate parties and the eavesdropper to quantify the leakage of secure information. 
To perform a security analysis of BB84 in terms of this stronger notion of security and against 
more complex model of attack beyond the intercept-resend one studied in the current paper 
is one of the future directions we are pursuing. 

Secondly, bisimilarity checking is usually a very tedious and routine task which can barely 
be done by hand. This issue becomes more serious when the number of parties involved and 
the round of communications increase. To deal with this problem, making the process algebra 
approach more applicable for the analysis of general quantum cryptographic protocols, we 
are going to develop a software tool for automated bisimilarity checking. In the theoretical 
aspect, we will explore the possibility of extending symbolic bisimulation proposed in [1[)| to 
distribution-based case, to decrease the computational complexity of determining bisimilarity. 

Finally, as shown in [Hj, distribution-based bisimulation is not a congruence in general, 
unless restricted to distributed schedulers. However, as argued by the authors of [S], non- 
distributed schedulers, which are responsible for the incongruence, are actually very unrealistic 
and do not appear in real-world applications. To show that our distribution-based bisimulation 
is a congruence for qCCS processes under distributed schedulers and to study the implication 
of distributed schedulers for quantum cryptographic protocols are also topics worthy of 
further consideration. 


Acknowledgement 

This work was partially supported by Australian Research Council (Grant No. DP 130102764). 
Y. F. is also supported by the National Natural Science Foundation of China (Grant Nos. 
61428208 and 61472412) and the CAS/SAFEA International Partnership Program for Creative 
Research Team. 


References 


1 A. Aldini and A. D. Pierro. Estimating the maximum information leakage. International 
Journal of Information Security, 7(3):219-242, 2008. 

2 E. Ardeshir-Larijani, S. J. Gay, and R. Nagarajan. Equivalence checking of quantum 
protocols. In TACAS’13, pages 478-492. Springer, 2013. 

3 E. Ardeshir-Larijani, S. J. Gay, and R. Nagarajan. Verification of concurrent quantum 
protocols by equivalence checking. In TACAS’lf, pages 500-514. Springer, 2014. 

4 G. H. Bennett and G. Brassard. Quantum cryptography: Public-key distribution and coin 
tossing. In Proceedings of the IEEE International Conference on Computer, Systems and 
Signal Processing, pages 175-179, 1984. 




] © Yuan Feng and Mingsheng Ying; 

I licensed under Creative Commons License CC-BY 

Leibniz International Proceedings in Informatics 
LI PICS Schloss Dagstuhl — Leibniz-Zentrum fiir Informatik, Dagstuhl Publishing, Germany 






5 T. A. S. Davidson. Formal Verification Techniques using Quantum Process Calculus. PhD 
thesis, University of Warwick, 2011. 

6 Y. Deng and Y. Feng. Open bisimulation for quantum processes. In TCS’12: Proceedings 
of the 7th IFIP TC 1/WG 202 international conference on Theoretical Computer Science. 
Springer-Verlag, Sept. 2012. Full Version available at http://arxiv.org/abs/1201.0416. 

7 Y. Deng, R. van Glabbeek, M. Hennessy, and C. Morgan. Testing hnitary probabilistic 
processes (extended abstract). In CONCUR’09, pages 274-288. Springer, 2009. 

8 L. Doyen, T. A. Henzinger, and J.-F. Raskin. Equivalence of labeled Markov chains. In¬ 
ternational Journal of Foundations of Computer Science, 19(03):549-563, 2008. 

9 C. Eisentraut, J. C. Godskesen, H. Hermanns, L. Song, and L. Zhang. Late Weak Bisimu¬ 
lation for Markov Automata, http://arxiv.org/ahs/1202.4116, Feb. 2012. 

10 Y. Feng, Y. Deng, and M. Ying. Symbolic bisimulation for quantum processes. ACM 
Transactions on Computational Logic, 15(2):14:1-14:32, May 2014. 

11 Y. Feng, R. Duan, Z. Ji, and M. Ying. Probabilistic bisimulations for quantum processes. 
Information and Computation, 205(11):1608-1639, Nov. 2007. 

12 Y. Feng, R. Duan, and M. Ying. Bisimulations for quantum processes. In M. Sagiv, editor, 
POPL’ll, pages 523-534, 2011. 

13 S. J. Gay and R. Nagarajan. Gommunicating quantum processes. In J. Palsberg and 
M. Abadi, editors, POPL’05, pages 145-157, 2005. 

14 H. Hermanns, J. Krcal, and J. Kretinsky. Probabilistic bisimulation: Naturally on distri¬ 
butions. In P. Baldan and D. Gorla, editors, CONCUR’lf- Springer, 2014. 

15 B. Jonsson, W. Yi, and K. G. Larsen. Probabilistic extensions of process algebras. In 
Handbook of process algebra, pages 685-710. 2001. 

16 P. Jorrand and M. Lalire. Toward a quantum process algebra. In P. Selinger, editor, 
QPL’04, page 111, 2004. 

17 T. Kubota, Y. Kakutani, G. Kato, Y. Kawano, and H. Sakurada. Application of a process 
calculus to security proofs of quantum protocols. In FCS’12, pages 141-147, 2012. 

18 M. Kwiatkowska, G. Norman, and D. Parker. PRISM 2.0: a tool for probabilistic model 
checking. In QEST’Of, pages 322-323, Sept. 2004. 

19 M. Lalire. Relations among quantum processes: Bisimilarity and congruence. Mathematical 
Structures in Computer Science, 16(3):407-428, 2006. 

20 D. Mayers. Unconditional security in quantum cryptography. Journal of the ACM, 
48(3):351-406, 2001. 

21 J. Mitchell, A. Ramanathan, A. Scedrov, and V. Teague. A Probabilistic Polynomial-time 
Galculus For Analysis of Gryptographic Protocols: (Preliminary Report). Electronic Notes 
in Theoretical Computer Science, 45:280-310, Dec. 2000. 

22 R. Nagarajan, N. Papanikolaou, G. Bowen, and S. Gay. An automated analysis of the 
security of quantum key distribution. In SecCo’05, 2005. 

23 M. Nielsen and 1. Ghuang. Quantum computation and quantum information. Gambridge 
university press, 2000. 

24 A. D. Pierro, G. Hankin, and H. Wiklicky. Measuring the conhnement of probabilistic 
systems. Theoretical Computer Science, 340(l):3-56, 2005. 

25 A. Ramanathan, J. Mitchell, A. Scedrov, and V. Teague. Probabilistic bisimulation and 
equivalence for security analysis of network protocols. In EOSSACS’Of, pages 468-483. 
Springer, Berlin, 2004. 

26 P. W. Shor and J. Preskill. Simple proof of security of the BB84 quantum key distribution 
protocol. Physical Review Letters, 85(2) :441, 2000. 

27 M. Ying, Y. Feng, R. Duan, and Z. Ji. An algebra of quantum processes. ACM Transactions 
on Computational Logic, 10(3):l-36, Apr. 2009. 




] © Yuan Feng and Mingsheng Ying; 

licensed under Creative Commons License CC-BY 

Leibniz International Proceedings in Informatics 
LI PICS Schloss Dagstuhl - Leibniz-Zentrum fiir Informatik, Dagstuhl Publishing, Germany 




